Add catalog signing for .js files in Mono workload packs #127242
+124
−2
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -49,9 +49,12 @@ | |
| <MacOSPkg Include="$(ArtifactsPackagesDir)**/dotnet-runtime*.pkg" Exclude="$(ArtifactsPackagesDir)**/dotnet-runtime-internal*.pkg" /> | ||
| <FileSignInfo Include="@(MacOSPkg->'%(Filename)%(Extension)')" CertificateName="MacDeveloperWithNotarization" /> | ||
|
|
||
| <!-- JS files are customer-modifiable runtime/toolchain files. They cannot be | ||
| Authenticode-signed because modifying a signed file breaks the signature. | ||
| Instead, a catalog file (.cat) is generated and signed to provide integrity | ||
| verification. See the GenerateCatalogFiles target in eng/mono.proj. --> | ||
| <FileExtensionSignInfo Update=".js" CertificateName="None" /> | ||
| <FileExtensionSignInfo Include=".cat" CertificateName="Microsoft400" /> | ||
|
Comment on lines
57
to
+58
There was a problem hiding this comment. PR description mentions adding direct signing for
Author
There was a problem hiding this comment. The .cab signing has been moved to dotnet/arcade#16742 so all Arcade-based repos get it by default. The PR description has been updated to reflect this scope change. |
||
|
|
||
| <!-- Third-party components which should be signed. --> | ||
| <FileSignInfo Include="Antlr4.Runtime.Standard.dll" CertificateName="3PartySHA2" /> | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| <# | ||
| .SYNOPSIS | ||
| Generates a catalog definition file (.cdf) and catalog file (.cat) for all .js files | ||
| in the specified root directory. Used for VS signing compliance - the .js files are | ||
| customer-modifiable and cannot be directly Authenticode-signed. | ||
|
|
||
| .PARAMETER RootPath | ||
| Root directory to search for .js files recursively. | ||
|
|
||
| .PARAMETER CatOutputPath | ||
| Full path for the output .cat file. | ||
| #> | ||
| param( | ||
| [Parameter(Mandatory)][string]$RootPath, | ||
| [Parameter(Mandatory)][string]$CatOutputPath, | ||
| [string]$WindowsSdkDir = '', | ||
| [switch]$ErrorIfMakecatNotFound | ||
| ) | ||
|
|
||
| $ErrorActionPreference = 'Stop' | ||
|
|
||
| $cdfPath = [System.IO.Path]::ChangeExtension($CatOutputPath, '.cdf') | ||
|
|
||
| $files = Get-ChildItem -Path $RootPath -Recurse -Filter '*.js' -File | ||
| if ($files.Count -eq 0) { | ||
| Write-Warning "No .js files found under $RootPath - skipping catalog generation." | ||
| exit 0 | ||
| } | ||
|
|
||
| $cdf = @() | ||
| $cdf += '[CatalogHeader]' | ||
| $cdf += "Name=$CatOutputPath" | ||
| $cdf += 'CatalogVersion=2' | ||
| $cdf += 'HashAlgorithms=SHA256' | ||
| $cdf += '' | ||
| $cdf += '[CatalogFiles]' | ||
|
|
||
| $i = 0 | ||
| foreach ($f in $files) { | ||
| $label = "js_${i}_" + ($f.Name -replace '[^\w\.-]', '_') | ||
| $cdf += "<hash>$label=$($f.FullName)" | ||
| $i++ | ||
| } | ||
|
|
||
| $cdf | Set-Content -Path $cdfPath -Encoding ASCII | ||
| Write-Host "Generated CDF with $($files.Count) .js files at $cdfPath" | ||
|
|
||
| $catDir = [System.IO.Path]::GetDirectoryName($CatOutputPath) | ||
| if (-not (Test-Path $catDir)) { | ||
| New-Item -ItemType Directory -Path $catDir -Force | Out-Null | ||
| } | ||
|
Comment on lines
+22
to
+48
There was a problem hiding this comment. The script writes the .cdf file before ensuring the output directory exists. If the directory for
Author
There was a problem hiding this comment. Fixed — moved the directory creation before the |
||
|
|
||
| # Find makecat.exe - it ships with the Windows SDK and may not be on PATH. | ||
| $makecat = $null | ||
| if ($WindowsSdkDir -and (Test-Path $WindowsSdkDir)) { | ||
| $makecat = Get-ChildItem -Path (Join-Path $WindowsSdkDir 'bin') -Recurse -Filter 'makecat.exe' -File | | ||
| Where-Object { $_.DirectoryName -match 'x64' } | | ||
| Sort-Object DirectoryName -Descending | | ||
| Select-Object -First 1 | ||
| } | ||
|
|
||
| if (-not $makecat) { | ||
| $makecat = Get-Command makecat.exe -ErrorAction SilentlyContinue | ||
| } | ||
|
|
||
| if (-not $makecat) { | ||
| # Fallback: search common Windows SDK locations | ||
| $sdkRoot = "${env:ProgramFiles(x86)}\Windows Kits\10\bin" | ||
| if (Test-Path $sdkRoot) { | ||
| $makecat = Get-ChildItem -Path $sdkRoot -Recurse -Filter 'makecat.exe' -File | | ||
| Where-Object { $_.DirectoryName -match 'x64' } | | ||
| Sort-Object DirectoryName -Descending | | ||
| Select-Object -First 1 | ||
| } | ||
| } | ||
|
|
||
| if (-not $makecat) { | ||
| if ($ErrorIfMakecatNotFound) { | ||
| throw "makecat.exe not found. Catalog signing requires the Windows SDK which must be available in CI builds." | ||
| } | ||
| Write-Warning "makecat.exe not found - skipping catalog generation. Catalog signing requires the Windows SDK." | ||
| exit 0 | ||
| } | ||
|
|
||
| $makecatPath = if ($makecat -is [System.Management.Automation.CommandInfo]) { $makecat.Source } else { $makecat.FullName } | ||
| Write-Host "Using makecat.exe at: $makecatPath" | ||
|
|
||
| & $makecatPath $cdfPath | ||
| if ($LASTEXITCODE -ne 0) { | ||
| throw "makecat.exe failed with exit code $LASTEXITCODE" | ||
| } | ||
|
|
||
| Write-Host "Generated catalog file: $CatOutputPath" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment references
eng/mono.proj, but that file/target doesn't exist in this repo; theGenerateCatalogFilestarget is insrc/installer/pkg/sfx/Microsoft.NETCore.App/Microsoft.NETCore.App.Runtime.Mono.sfxproj. Please update the reference so future maintainers can find the implementation.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed — updated the comment to reference the correct path:
src/installer/pkg/sfx/Microsoft.NETCore.App/Microsoft.NETCore.App.Runtime.Mono.sfxproj.